Session cookie values logged in Sentry issues, allowing for impersonation if injected into a cookie.
Cause
Originally discovered in the Sentry Python SDK (specifically the Django Integration) sends the cookie values by default. In addition, Sentry SaaS / self-hosted is configured to send_default_pii.
This case should be resolved in .NET and other SDKs and related framework implementattions as well.
@mattjohnsonpint i know you said there were cases where it can be possible to scrub with certain frameworks and without it could be difficult to identify, so we may need a best effort approach and Relay will need to check for patterns
The Sentry Python SDK’s Django Integration should be patched to never send the value for SESSION_COOKIE_NAME or CSRF_COOKIE_NAME. These values should be scrubbed regardless of the send_default_pii setting.
Other web framework integrations should have similar scrubbing put in place.
Summary
Session cookie values logged in Sentry issues, allowing for impersonation if injected into a cookie.
Cause
Originally discovered in the Sentry Python SDK (specifically the Django Integration) sends the cookie values by default. In addition, Sentry SaaS / self-hosted is configured to send_default_pii.
This case should be resolved in .NET and other SDKs and related framework implementattions as well.
Recommended Remediation
@mattjohnsonpint i know you said there were cases where it can be possible to scrub with certain frameworks and without it could be difficult to identify, so we may need a best effort approach and Relay will need to check for patterns